A critical vulnerability in all but the most-recent WordPress versions has been revealed by security firm RIPS Tech. The vulnerability allows an unauthenticated attacker to hijack a logged-in administrator’s account to run arbitrary code on the target site.
RIPS Tech report that ‘the vulnerabilit[y] exist[s] in WordPress versions prior to 5.1.1 and is exploitable with default settings.’ The exploit relies on an attacker being able to post comments to the target site, with RIPS Tech adding that ‘comments are a core feature of blogs and are enabled by default’, meaning that ‘the vulnerability affected millions of sites.’
WordPress applies security updates automatically by default, but some users may have disabled this functionality. If so, an updated version of WordPress must be installed immediately. RIPS Tech also advice that, in future, users ‘make sure to logout of your administrator session before visiting other websites.’
RIPS Tech’s blog post contains full technical details about the exploit, which leverages an initial CSRF in order to inject HTML into the target’s page, followed by a stored XSS attack, resulting in the attacker being able to ‘execute arbitrary JavaScript code with the session of the administrator’.